Updated: Jan 1, 2021
Identity management can be divided into “Workforce Identity” and “Customer Identity” majorly and there is a reason we should see it differently. Though it is possible to design or facilitate them in the same way but would not probably fetch the perfect experience and needed security.
This could have been case several years back from now but now the first thing you want to do it to have it handled separately if you are not already.
We would talk about several terms you would come across while designing your IAM solutions and some of them overlap whether you talk about CIAM or EIAM. The difference comes from the fact the resources are to be shared with the customer and workforce. The kind of experience you want them for both and the record of the interaction. You would have to keep access for your customer limited to the using your services where your employees would have more access to support that system serving customer.
You would like to monitor the activity, interest of the customer and would like to analyze the data to increase sales but the employee interacting with system would be more about audit and security. Your customer would probably be served in fraction of seconds to have the experience better, for employees experience is still important but depending on the sensitivity some timeout or slowness (Strong encryption of everything, several authentication) are all tolerable which customer might not welcome. Given the attention span of the customer and UX expectation must be lot better with no compromise in security.
Customer might login with several other social media account, might share the profile information gradually (Progressive Profiling ) or might have to be provisioned on landing first time (JIT provisioning) where for employees (RBAC/ABAC) and SSO would make sense as Employees would be accessing several systems and can be authenticated against central repository. B2B interaction would be more account CIAM, Access Gateway would be point of interaction for your service where you can monitor and enforce the policies. You might use directory for both Employees and Customers but for customer may be they don’t have to be in Active Directory as they won’t be logging in to your VPN, MS office or other resource.